CVE-2016-1000031

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Apache Commons FileUpload versions prior to 1.3.3

Description The issue is related to the deserialization mechanism in the DiskFileItem class of the Apache Commons FileUpload library. It allows a remote attacker to execute arbitrary code or manipulate files in the target system using specially crafted data. The vulnerability can be exploited by sending a specially formed Java Object, enabling the attacker to write or copy files to arbitrary disk locations and execute arbitrary code.

Recommendations For versions prior to 1.3.3, update to version 1.3.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the DiskFileItem class until a patch is available.

Fix

RCE

Improper Access Control

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-502

Related Identifiers

ALT-PU-2017-3595

BDU:2018-01429

CVE-2016-1000031

GHSA-7X9J-7223-RG5M

OPENSUSE-SU-2019:1399-1

OPENSUSE-SU-2019_1399-1

SUSE-SU-2019:1212-1

SUSE-SU-2019:1212-2

SUSE-SU-2019:1214-1

SUSE-SU-2019:14044-1

SUSE-SU-2019_1212-1

SUSE-SU-2019_1212-2

SUSE-SU-2019_1214-1

SUSE-SU-2019_14044-1

ZDI-16-570

Affected Products

Alt Linux

Apache Commons Fileupload

Apache Struts

Debian

Suse

CVE-2016-1000031

Weakness Enumeration

Related Identifiers

Affected Products

References · 64